xmrig | a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

General

Target

tmp.exe
Size

2.5MB
MD5

f44f200e7d7f8ae6035b382a2a4240dd
SHA1

8f11e6d44050813db4aa6ba0971ab873cc3ad797
SHA256

a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8
SHA512

193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39
SSDEEP

49152:3hU0Vy41dosEvIMf9FhcBYFUjeCnfDCvNb2aeP4mN:RU0zPoTvIYnh8vIlq

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/4888-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-20-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-21-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-22-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4888-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
3476	smazgcisoglo.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4888-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-20-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-21-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4888-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 4888	3476	smazgcisoglo.exe	98

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2420	sc.exe
3796	sc.exe
3452	sc.exe
1852	sc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3572	tmp.exe
3572	tmp.exe
3572	tmp.exe
3572	tmp.exe
3476	smazgcisoglo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4888	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4888	3476	smazgcisoglo.exe	98
PID 3476 wrote to memory of 4888	3476	smazgcisoglo.exe	98
PID 3476 wrote to memory of 4888	3476	smazgcisoglo.exe	98
PID 3476 wrote to memory of 4888	3476	smazgcisoglo.exe	98
PID 3476 wrote to memory of 4888	3476	smazgcisoglo.exe	98

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "XGRXZRAP"
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3796
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "XGRXZRAP"
  2⤵
  - Launches sc.exe
  PID:1852

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

Filesize
1.0MB

MD5
145c5edb288706e4b629545ab3c80e8f

SHA1
ee2acb3d83c0da72ae6963bdeb899f3c435d2537

SHA256
a0bce6ec2dfa6cf8bb82a84bb2a81e8b36c8cbba698eb7b6c275ea91b2ddd0d3

SHA512
58815349f4ee6d7e5024edf5b6265f24aca7ece44ec85e0d9dc4f37e90072ef9d3c9d9870e89688a4a686f84b9ecee85436d3b30c991d833bead84492717c847

Download Submit
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

Filesize
68KB

MD5
809cc1682de16e24f589d9b28e41636d

SHA1
b120dde1ceb228d8dd1894818fee35c4e377847c

SHA256
d7d96b7987ea84e038edc3eca7c0eeb89624e29831206192ba63e24dc4253ca8

SHA512
721a4bbe2007d6c2183245bf6b3e32120d402948284e31017d0894443d735372bea6059990ba8ecf23722f62bad90f030bf1c45745a102d3b61cb5c440ec8972

Download Submit
memory/4888-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-11-0x00000000013E0000-0x0000000001400000-memory.dmp

Filesize
128KB

Download
memory/4888-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-19-0x0000000001450000-0x0000000001470000-memory.dmp

Filesize
128KB

Download
memory/4888-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-20-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-21-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-25-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download
memory/4888-24-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4888-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-26-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4888-27-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing