xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2624	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
2788	uyzpsnbeowaz.exe

Loads dropped DLL 1 IoCs

pid	Process
464	Process not Found

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2624	2788	uyzpsnbeowaz.exe	36

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2796	sc.exe
2888	sc.exe
2600	sc.exe
2572	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2864	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2788	uyzpsnbeowaz.exe
2788	uyzpsnbeowaz.exe
2788	uyzpsnbeowaz.exe
2788	uyzpsnbeowaz.exe
2788	uyzpsnbeowaz.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeShutdownPrivilege	2772	powercfg.exe
Token: SeShutdownPrivilege	2676	powercfg.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeShutdownPrivilege	2564	powercfg.exe
Token: SeShutdownPrivilege	2560	powercfg.exe
Token: SeLockMemoryPrivilege	2624	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2624	2788	uyzpsnbeowaz.exe	36
PID 2788 wrote to memory of 2624	2788	uyzpsnbeowaz.exe	36
PID 2788 wrote to memory of 2624	2788	uyzpsnbeowaz.exe	36
PID 2788 wrote to memory of 2624	2788	uyzpsnbeowaz.exe	36
PID 2788 wrote to memory of 2624	2788	uyzpsnbeowaz.exe	36

C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
"C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2888
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2572

C:\Windows\system32\cmd.exe
cmd.exe
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
15KB

MD5
850d301a6235a5484e6ab0cf7c30b5ed

SHA1
bb9081c0315c390d8718ec62c083141f6d22b8af

SHA256
a757702aa85ae5cdd5506ba9e880c10e2db26858c5db2a6f01d1a15c0a3b4d37

SHA512
b331b5bb52676cff5921de42d675f8aee5593638ed6fcbe5cc3f2958fe4fa6eb1f4d853231b3879f9fd0f1f265a2ba9019ac84f226aab15b5eebed872e5183a0

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
108KB

MD5
86d7f4ea1023fcbf301cf77bb1a80e42

SHA1
64316d86f10b52defa7a447ca967c2feb49986d3

SHA256
1d8ebab82ec5888cd6c1e978ae000e96e4e69b78aaed8558e980fb9ef5a3df41

SHA512
14e8d03b489ca83fabb85a1364781db8cd3ae6656bc3b5badf2f1bc7a0e5c0bc5989cbdc9348cfef86f2d0abd9feda304c390311e73a6ac05ebf73f8d92d3b65

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
391KB

MD5
790022f0a0f81473f2af559d9534830d

SHA1
7c7971f73275c9ff37a27ea41e8d23b5051ab885

SHA256
7d9c7bf7bf2e4f4497a62e6635c6f1be4478982e3a8ff835b05c1512d8c38ec3

SHA512
77b0e171e3c518670fa84bc9f98d073fc657f0fe428c8f5e43c075cbbc0901c2eb0a667d4256f59b62d07ed07560caf48099056c3851e554415daf86e35187a8

Download Submit
memory/2624-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-12-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-20-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2624-21-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-22-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2624-23-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing