xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

file.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2560-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow	pid	Process
3	2560	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

Processes:

uyzpsnbeowaz.exe

pid	Process
468
2580	uyzpsnbeowaz.exe

Loads dropped DLL 1 IoCs

Processes:

pid	Process
468

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

uyzpsnbeowaz.exe

description	pid	Process	procid_target
PID 2580 set thread context of 2560	2580	uyzpsnbeowaz.exe	53

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
2892	sc.exe
2872	sc.exe
3000	sc.exe
2732	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

file.exeuyzpsnbeowaz.exe

pid	Process
2668	file.exe
2668	file.exe
2668	file.exe
2668	file.exe
2668	file.exe
2668	file.exe
2668	file.exe
2668	file.exe
2580	uyzpsnbeowaz.exe
2580	uyzpsnbeowaz.exe
2580	uyzpsnbeowaz.exe
2580	uyzpsnbeowaz.exe
2580	uyzpsnbeowaz.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
468

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	Process
Token: SeShutdownPrivilege	2792	powercfg.exe
Token: SeShutdownPrivilege	2776	powercfg.exe
Token: SeShutdownPrivilege	2796	powercfg.exe
Token: SeShutdownPrivilege	2832	powercfg.exe
Token: SeShutdownPrivilege	2696	powercfg.exe
Token: SeShutdownPrivilege	2624	powercfg.exe
Token: SeShutdownPrivilege	2648	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeLockMemoryPrivilege	2560	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uyzpsnbeowaz.exe

description	pid	Process	procid_target
PID 2580 wrote to memory of 2560	2580	uyzpsnbeowaz.exe	53
PID 2580 wrote to memory of 2560	2580	uyzpsnbeowaz.exe	53
PID 2580 wrote to memory of 2560	2580	uyzpsnbeowaz.exe	53
PID 2580 wrote to memory of 2560	2580	uyzpsnbeowaz.exe	53
PID 2580 wrote to memory of 2560	2580	uyzpsnbeowaz.exe	53

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2732
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2872
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3000

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.1MB

MD5
ecb38255893cae6a2aa09abfa5a57c5a

SHA1
0900f2c04734ba552be2b819f1d9d863bb5434fc

SHA256
2e23fa641e86649a5268a185e0b2b380991681336b586b4d515aadbdca6f9368

SHA512
393931e3c1dd5e787e5c5c938d4bd184598285c69ca507c10c8c3bf6dfe94626c0230a5ecc5042bcde8f0f3e05e17d31632c854444677c19806e0893ed181012

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.2MB

MD5
6f14735aa2377978b3161c9a7a51fed5

SHA1
3438a2a891f6a6351b341af0e017733098edeb62

SHA256
a606b3c7cd4b66e10cfe5834a989e9fbcf63eaf7d558773b260f8ef67f57b2fb

SHA512
f27b9333ab4de44b27afea4a21fda2d675cf753b37ad3f49e174bab7cb19718d04807c27c1530d5827dff7166bb052727e48a95bf18c3987b7301cbb67a22176

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.0MB

MD5
15aaa8d859aaac02210ae0f8d1896216

SHA1
84ada14763704ec6cbaf17bdae9f5cb13e4bce64

SHA256
b5150756d23e323497690d6ea0bc6c9c1aa15a8def8b4da726c59e98d16382c0

SHA512
a64dfb542d47a0dc5c8add0f8883eb7d4a9163c2e392b778fa1d84adf8a9e47e3b5044d4742b2774b0e15b596f80b954c0d4b2387236639454f7acf659852341

Download Submit
memory/2560-12-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2560-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-20-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/2560-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-21-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download
memory/2560-22-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/2560-23-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads