xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

tmp.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2724-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2724-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow	pid	Process
3	2724	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

Processes:

uyzpsnbeowaz.exe

pid	Process
476
1744	uyzpsnbeowaz.exe

Loads dropped DLL 1 IoCs

Processes:

pid	Process
476

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2724-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2724-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

uyzpsnbeowaz.exe

description	pid	Process	procid_target
PID 1744 set thread context of 2724	1744	uyzpsnbeowaz.exe	49

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
2940	sc.exe
332	sc.exe
1504	sc.exe
624	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

tmp.exeuyzpsnbeowaz.exe

pid	Process
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1384	tmp.exe
1744	uyzpsnbeowaz.exe
1744	uyzpsnbeowaz.exe
1744	uyzpsnbeowaz.exe
1744	uyzpsnbeowaz.exe
1744	uyzpsnbeowaz.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	Process
Token: SeShutdownPrivilege	2068	powercfg.exe
Token: SeShutdownPrivilege	2076	powercfg.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeShutdownPrivilege	2808	powercfg.exe
Token: SeShutdownPrivilege	1236	powercfg.exe
Token: SeShutdownPrivilege	2600	powercfg.exe
Token: SeShutdownPrivilege	2704	powercfg.exe
Token: SeLockMemoryPrivilege	2724	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uyzpsnbeowaz.exe

description	pid	Process	procid_target
PID 1744 wrote to memory of 2724	1744	uyzpsnbeowaz.exe	49
PID 1744 wrote to memory of 2724	1744	uyzpsnbeowaz.exe	49
PID 1744 wrote to memory of 2724	1744	uyzpsnbeowaz.exe	49
PID 1744 wrote to memory of 2724	1744	uyzpsnbeowaz.exe	49
PID 1744 wrote to memory of 2724	1744	uyzpsnbeowaz.exe	49

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:624

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.0MB

MD5
44b8debfc5f7df7e1d08318a4b5cc2a6

SHA1
ebb119656cd10a635080f08ee7908811038732cb

SHA256
a25406e5cf8fc4fbb719451ee37d31c9495bd9db2de6a14edaef37954e3afec7

SHA512
2945c9aaabaad95c2959c142ecbe193c663db030cde24eda4642e9acca266269fa49470dab729bad3113a14aa64fb9ac1fccc6a62d12e848b9f3a46fe1f2d0a3

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1022KB

MD5
f807d8b4851f6ef63fd99ebd250d7c2f

SHA1
f396d1cf486a04c62421cef6973b5ee29b2b9bd0

SHA256
8e7d888d29b79fb0bf32755132283b81800472ecd4215abdad6e21e9903b7000

SHA512
c7345582577ceb47f4ae4791584fa49f017a6a89f02d5a03d8d977bbb7136e572811b9f69d5879e3818d5790ab189a8ebcaf3d7dce6fe682624f8fff63e187f5

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
976KB

MD5
1587be9e0e78767c7ccd501cf894fb97

SHA1
90972e1b75de59f7f344008a859f70b6b14dbea6

SHA256
3ebf7cbd39f35f6245c13df621204f94981cca4c249d158e63b1daa3fefee8a1

SHA512
7e4668e522bfd482f325349d4d038ccac16696810c4e569b83fab63a14daf243d75843ad8e98dfc5996c07dbf7b3c0367a9c8ad619d001d98b8020916bdaa41c

Download Submit
memory/2724-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-12-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2724-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2724-20-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/2724-21-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/2724-22-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/2724-23-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads