xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1180-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1180-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2984 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

iojmibhyhiws.exe

pid process

464
2796 iojmibhyhiws.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

464

pid	process
2984	cmd.exe

pid	process
464
2796	iojmibhyhiws.exe

pid	process
464

Suspicious use of SetThreadContext 2 IoCs

Processes:

iojmibhyhiws.exe

description	pid	process	target process
PID 2796 set thread context of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 set thread context of 1180	2796	iojmibhyhiws.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2676 sc.exe
2820 sc.exe
2968 sc.exe
2988 sc.exe

pid	process
2676	sc.exe
2820	sc.exe
2968	sc.exe
2988	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exeiojmibhyhiws.execonhost.exe

pid	process
2684	tmp.exe
2684	tmp.exe
2684	tmp.exe
2684	tmp.exe
2684	tmp.exe
2796	iojmibhyhiws.exe
2796	iojmibhyhiws.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe
1180	conhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

conhost.exe

description pid process

Token: SeLockMemoryPrivilege 1180 conhost.exe

description	pid	process
Token: SeLockMemoryPrivilege	1180	conhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exeiojmibhyhiws.exe

description	pid	process	target process
PID 2984 wrote to memory of 2620	2984	cmd.exe	choice.exe
PID 2984 wrote to memory of 2620	2984	cmd.exe	choice.exe
PID 2984 wrote to memory of 2620	2984	cmd.exe	choice.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1760	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe
PID 2796 wrote to memory of 1180	2796	iojmibhyhiws.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2684
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2620
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2988

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1760
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
234KB

MD5
93483ae289f4a15554a369cc5af7c0c6

SHA1
23717954c161e75ac2db06d6981edf3e87c5f7ca

SHA256
b7ba87682457c561e913f7721b1f69c623fc3c1bc2b258b47a2c392ca62a63da

SHA512
8df1d214d35b149d3c7c69afeb8dedaaca37d6c8d0301aef090e459baccd76f9b862e3ea6e84d36a140041ea2afada1917a98793169042800e53949b0bd88cb3

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
735KB

MD5
f93a3f9b0a9e05f0d704f0de8ea88ff5

SHA1
01ef892af10e3db29a4a3e26b7ffc46176546099

SHA256
b09b55bdde23b5ac4b3209b94943a45d58b3c759c3b0478a618bca9092968840

SHA512
3adaa32775756990b861e65ca223ffa2dcfbf7fa3b1c58c02d0f322e8abcbeb22932cc617517b2562cc926b5f08ad819bc9ae1f516ac23390f715290ec9c01ee

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
1.5MB

MD5
7a3b9c86aa5ffb4a570c8463f98359af

SHA1
47695634b97d8468ff191f1a0039134bd87d3114

SHA256
89452ade465b2e0006d39993f9546922041bed2e13bc949561f3e02e6c6952a8

SHA512
327a4e77861cf6bd555ee903544a720143dbf9722f4e1bb8d4a05f79c3764ad9b1c037c8f6b7c08cfbdc7422b482d7cf2ba12d1d07706954a47264ef834c2a56

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
791KB

MD5
04eb22e8afb6cfefdebba4c2514af18f

SHA1
3ff1c076deda284a7a0afe63aa71b55073c9273c

SHA256
28c97cb658d8636e8855732e7217cf79f1de312c14b8878440ba99d65400c76c

SHA512
3719d0aad39302228c89a5d3c66f447377af39a299c2f774e1f86af622d4ccfb5d365bcb649e8a54e83269e4f230dc16d155b2a45809fd4d56f7eba07826ce4a

Download Submit
memory/1180-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-16-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-28-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1180-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1180-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1760-14-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1760-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1760-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1760-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1760-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1760-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2684-0-0x000000013FC60000-0x000000014069D000-memory.dmp

Filesize
10.2MB

Download
memory/2684-2-0x000000013FC60000-0x000000014069D000-memory.dmp

Filesize
10.2MB

Download
memory/2796-26-0x000000013F1D0000-0x000000013FC0D000-memory.dmp

Filesize
10.2MB

Download
memory/2796-6-0x000000013F1D0000-0x000000013FC0D000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads