xmrig | dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

General

Target

dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
Size

2.5MB
MD5

5dec9f02f7067194f9928e37ed05c8f6
SHA1

06f13ca068514d08f0595ded4ef140078888235a
SHA256

dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806
SHA512

98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c
SSDEEP

49152:A0jhMlqDbsynliN2InCFvy0l2aMEBLWw/3Ry0rP3Fga/EO7xhbAIXdTBpox:QyliNjnCFvxMEWw/hy0bFga/d7vbASB2

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2512-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2512-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2512-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2512-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2512-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2512-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

uwgxswmtctao.exe

pid process

484
1868 uwgxswmtctao.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

484

pid	process
484
1868	uwgxswmtctao.exe

pid	process
484

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2512-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2512-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

uwgxswmtctao.exe

description pid process target process

PID 1868 set thread context of 2512 1868 uwgxswmtctao.exe explorer.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1944 sc.exe
2352 sc.exe
1644 sc.exe
2176 sc.exe

description	pid	process	target process
PID 1868 set thread context of 2512	1868	uwgxswmtctao.exe	explorer.exe

pid	process
1944	sc.exe
2352	sc.exe
1644	sc.exe
2176	sc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exeuwgxswmtctao.exe

pid	process
1684	dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
1684	dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
1684	dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
1684	dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
1868	uwgxswmtctao.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeLockMemoryPrivilege 2512 explorer.exe

description	pid	process
Token: SeLockMemoryPrivilege	2512	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uwgxswmtctao.exe

description	pid	process	target process
PID 1868 wrote to memory of 2512	1868	uwgxswmtctao.exe	explorer.exe
PID 1868 wrote to memory of 2512	1868	uwgxswmtctao.exe	explorer.exe
PID 1868 wrote to memory of 2512	1868	uwgxswmtctao.exe	explorer.exe
PID 1868 wrote to memory of 2512	1868	uwgxswmtctao.exe	explorer.exe
PID 1868 wrote to memory of 2512	1868	uwgxswmtctao.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
"C:\Users\Admin\AppData\Local\Temp\dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "ACULXOBT"
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1644
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "ACULXOBT"
  2⤵
  - Launches sc.exe
  PID:2176

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
346KB

MD5
a4c22dbf998fdf87214e9187575a1511

SHA1
191d695db4fec63cd7a9be4c1c581d8a2798d15d

SHA256
826a4b370eb46e85dda90a67091a88666b4b9c6487f8a10e245664aedf855f30

SHA512
b422e081e975da5129b97ff5d74503e46a3a118c234fa2b172ed4b06fa1fa278b40fc63d69f4aa84dedd1f9d2f47b4abc1c944b41b487d2d3fe50de1d090592b

Download Submit
\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
796KB

MD5
1e9de68d7863a0138ad5944ab55bf792

SHA1
8301e3e4389ce818d506fd5063b46f2f80a573b8

SHA256
506c01d5f9a152376ae8985a2fd540e138b1f7b72dcf9f006b845af093b5207c

SHA512
28c3c170851ac3858ff0e8f1e343bc6083b9edf701e7fc44722b71bd926c7a2b8d3672fc146507c48a3577fab37d0acae31336cfcac6ffadbe98639f14850110

Download Submit
\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
128KB

MD5
d612d9d6dd2a8c6ed9aee4944daafef8

SHA1
09b523241299dad0b76f2af97d189055d16fe5b1

SHA256
d1561519293a2eb62454d86eb29f511744f32a0ec67a7c2ef2858590a315a628

SHA512
e747505660fd2c5650f270c6c641e6fcb40e518d8b6c72d5652b39dc63bbba5f8b0922b079f62243f1d24d2395fc24c5b3edf861779c0e4ed0e9239b7bb92512

Download Submit
memory/2512-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-12-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2512-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-20-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2512-21-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/2512-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2512-22-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2512-23-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads