xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/600-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-20-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-22-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-24-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-25-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/600-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	600	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2456	uyzpsnbeowaz.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/600-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-20-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-25-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/600-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 600	2456	uyzpsnbeowaz.exe	88

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
720	sc.exe
1544	sc.exe
3052	sc.exe
752	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3148	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
2456	uyzpsnbeowaz.exe
2456	uyzpsnbeowaz.exe
2456	uyzpsnbeowaz.exe
2456	uyzpsnbeowaz.exe
2456	uyzpsnbeowaz.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	32	powercfg.exe
Token: SeCreatePagefilePrivilege	32	powercfg.exe
Token: SeShutdownPrivilege	200	powercfg.exe
Token: SeCreatePagefilePrivilege	200	powercfg.exe
Token: SeShutdownPrivilege	500	powercfg.exe
Token: SeCreatePagefilePrivilege	500	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeCreatePagefilePrivilege	2280	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeCreatePagefilePrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeCreatePagefilePrivilege	1904	powercfg.exe
Token: SeShutdownPrivilege	4228	powercfg.exe
Token: SeCreatePagefilePrivilege	4228	powercfg.exe
Token: SeShutdownPrivilege	1300	powercfg.exe
Token: SeCreatePagefilePrivilege	1300	powercfg.exe
Token: SeLockMemoryPrivilege	600	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 600	2456	uyzpsnbeowaz.exe	88
PID 2456 wrote to memory of 600	2456	uyzpsnbeowaz.exe	88
PID 2456 wrote to memory of 600	2456	uyzpsnbeowaz.exe	88
PID 2456 wrote to memory of 600	2456	uyzpsnbeowaz.exe	88
PID 2456 wrote to memory of 600	2456	uyzpsnbeowaz.exe	88

C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
"C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:3052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:500
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:720
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1544

C:\Windows\system32\cmd.exe
cmd.exe
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
92KB

MD5
303a26df8d7376b5e4beaed725f9d251

SHA1
cf57c3e7a2e3e21f980af73f7e40c920bb949380

SHA256
99f02cc625d2fbc883649983de51bc2242416b631803e32711f3045d20cfd881

SHA512
645d119d6b5f25e8b3821c7bba71504c84f03382fc07dee82cded48d6e437566180132103d3b2566fa6ffd84963039e751a278c68a567f61d0130148a834ee19

Download Submit
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
435KB

MD5
7129dce8fec8a9b0259bf820a265b0bb

SHA1
d3fc92f7a78d85b631a9120ae79324e1903b487b

SHA256
130662fd81cb14610a5f9e44f5910e6958bcb9dcaae4a8eb256ff6977f6b0029

SHA512
2ab2620c76223c32c3d6a1b32c3bd55f4e92b5c54dbc0d0e7fa3adf91276dc7d28f770bcd1fe25ae29518fa4098a8d5633229320ca7f388ce1673c7982b38796

Download Submit
memory/600-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-11-0x000002105D260000-0x000002105D280000-memory.dmp

Filesize
128KB

Download
memory/600-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-28-0x000002105D930000-0x000002105D950000-memory.dmp

Filesize
128KB

Download
memory/600-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-20-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-21-0x000002105D290000-0x000002105D2B0000-memory.dmp

Filesize
128KB

Download
memory/600-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-25-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-27-0x000002105D950000-0x000002105D970000-memory.dmp

Filesize
128KB

Download
memory/600-26-0x000002105D930000-0x000002105D950000-memory.dmp

Filesize
128KB

Download
memory/600-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/600-29-0x000002105D950000-0x000002105D970000-memory.dmp

Filesize
128KB

Download
memory/600-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing