xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/memory/2616-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2616-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
468	Process not Found
2768	iojmibhyhiws.exe

Loads dropped DLL 1 IoCs

pid	Process
468	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2624	2768	iojmibhyhiws.exe	41
PID 2768 set thread context of 2616	2768	iojmibhyhiws.exe	40

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2780	sc.exe
2728	sc.exe
2716	sc.exe
2816	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	tmp.exe
1216	tmp.exe
1216	tmp.exe
1216	tmp.exe
1216	tmp.exe
2768	iojmibhyhiws.exe
2768	iojmibhyhiws.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2616	conhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2608	2696	cmd.exe	38
PID 2696 wrote to memory of 2608	2696	cmd.exe	38
PID 2696 wrote to memory of 2608	2696	cmd.exe	38
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2624	2768	iojmibhyhiws.exe	41
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40
PID 2768 wrote to memory of 2616	2768	iojmibhyhiws.exe	40

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2608

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
197KB

MD5
429b8f4f4795ae34c630cae5ec8106a0

SHA1
a5b2029dc643a74a96a29e793f6d4b8ea483a12e

SHA256
79934ca6941d5ee54839c9c69012a9bf391bdde82fb2e4ccf09733deea9fa591

SHA512
f6634c77e7ec8c6a6c4c16c0f83d84b49628e33241611f2cddea733d8aef9abeef99fdab20a0166425d3cbcfc07714c3d46de4e34f4ac5d9d42e2fc942655a3c

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
1.6MB

MD5
5acf52846839b4da0da07b2fcf0bff0c

SHA1
8da4922d5cb0033eb771f2a3e1facb81047f7ba8

SHA256
97388f7f6729e961806407b8ba0565f5012f7a5e0346c2d99d2df9ed37abb864

SHA512
ad9efe2ff4819d2a5a1210e29b32c59f22ab9a229e03e378a4cf671604ce3efeb610b94094ddac29f9fd30b62787718f71c8ed3fee25c7f0b66fc00aaffc546f

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
2.1MB

MD5
ee529acec8a05a3c2e5aaaf1a570bf2f

SHA1
4cd23316764cf53c5e7c99ef430e395009ef8102

SHA256
a7337cd26565a4903e8b061568419763a3fd667929765ea5daef817a8f9533c3

SHA512
677f066921ee3f269d7352b7cc6b0dd918dab1bca03f07449b7f963949b616e71c89292a8611c6f87f102947250b2e4afafae32b12fdddb819eb7e80a4ca40fa

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
1.2MB

MD5
c66d64e2e166a7f78fe25ffaf1b5ba80

SHA1
ac7fbaaf171af92e46129ba59af6b15992ae692b

SHA256
2808ad7368cdd818932673d3837979942de9faee39d6ad29cc7fcf2d9a7c63f5

SHA512
738212d7b2963030e39b71e3fcde8a584fc14e2e0d324291d3ac2aaa55616a3634f9d1858e80e251307e2124f552537432968d0886c43f4f702fc25f85ebbba2

Download Submit
memory/1216-2-0x000000013FC90000-0x00000001406CD000-memory.dmp

Filesize
10.2MB

Download
memory/1216-0-0x000000013FC90000-0x00000001406CD000-memory.dmp

Filesize
10.2MB

Download
memory/2616-28-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/2616-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-37-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2616-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-36-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2616-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2616-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2624-14-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2624-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2624-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2624-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2624-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2624-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2768-6-0x000000013FF20000-0x000000014095D000-memory.dmp

Filesize
10.2MB

Download
memory/2768-26-0x000000013FF20000-0x000000014095D000-memory.dmp

Filesize
10.2MB

Download