xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1816-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-20-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-22-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-24-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1816-25-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

3 1816 cmd.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

uyzpsnbeowaz.exe

pid process

3636 uyzpsnbeowaz.exe

flow	pid	process
3	1816	cmd.exe

pid	process
3636	uyzpsnbeowaz.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1816-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-20-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1816-25-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

uyzpsnbeowaz.exe

description pid process target process

PID 3636 set thread context of 1816 3636 uyzpsnbeowaz.exe cmd.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3344 sc.exe
3384 sc.exe
3704 sc.exe
752 sc.exe

description	pid	process	target process
PID 3636 set thread context of 1816	3636	uyzpsnbeowaz.exe	cmd.exe

pid	process
3344	sc.exe
3384	sc.exe
3704	sc.exe
752	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exeuyzpsnbeowaz.exe

pid	process
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3696	bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
3636	uyzpsnbeowaz.exe
3636	uyzpsnbeowaz.exe
3636	uyzpsnbeowaz.exe
3636	uyzpsnbeowaz.exe
3636	uyzpsnbeowaz.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
636

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	process
Token: SeShutdownPrivilege	3404	powercfg.exe
Token: SeCreatePagefilePrivilege	3404	powercfg.exe
Token: SeShutdownPrivilege	4436	powercfg.exe
Token: SeCreatePagefilePrivilege	4436	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeCreatePagefilePrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeShutdownPrivilege	1292	powercfg.exe
Token: SeCreatePagefilePrivilege	1292	powercfg.exe
Token: SeShutdownPrivilege	4568	powercfg.exe
Token: SeCreatePagefilePrivilege	4568	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeCreatePagefilePrivilege	1312	powercfg.exe
Token: SeShutdownPrivilege	4184	powercfg.exe
Token: SeCreatePagefilePrivilege	4184	powercfg.exe
Token: SeLockMemoryPrivilege	1816	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uyzpsnbeowaz.exe

description	pid	process	target process
PID 3636 wrote to memory of 1816	3636	uyzpsnbeowaz.exe	cmd.exe
PID 3636 wrote to memory of 1816	3636	uyzpsnbeowaz.exe	cmd.exe
PID 3636 wrote to memory of 1816	3636	uyzpsnbeowaz.exe	cmd.exe
PID 3636 wrote to memory of 1816	3636	uyzpsnbeowaz.exe	cmd.exe
PID 3636 wrote to memory of 1816	3636	uyzpsnbeowaz.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe
"C:\Users\Admin\AppData\Local\Temp\bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:3344
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3384
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:752

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.1MB

MD5
a39d392077c20e12083513e277bb9cdf

SHA1
562ca81ee6968734b2918796b617c2981176873e

SHA256
a3fba6b795dc77a9ca4488eb2aeb89eec1bc8abab53edad6f77f261c0d5fe8ed

SHA512
abaf7a04a2b1065ab346e75bd02f1432a25ce5c99cddf0f749f77689b208bcbf2a9b67cbfff3c155ec4dfe2423eb3b7cd8e087a7418d102e557d096d21b9f0fa

Download Submit
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
641KB

MD5
4ccdccb23dae09139486e37cc0c12cde

SHA1
c6c1bd1512cbd9d472efd313b2f9893e2102fcbe

SHA256
eb8976b1b6e0ecbf1bfe7effb763fd2128472e62db11635fedfdaedba36e8a80

SHA512
c15d1aab852d1c976f6cb1d30d2f92dff523a1a0227007c703ba5a66ce18a3b6751ba7ff09303cdb498fa9fd0a0b21d27c543e2c742de9e2faaad30f99d28348

Download Submit
memory/1816-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-11-0x000001951E3F0000-0x000001951E410000-memory.dmp

Filesize
128KB

Download
memory/1816-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-20-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-21-0x000001951E710000-0x000001951E750000-memory.dmp

Filesize
256KB

Download
memory/1816-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-25-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1816-26-0x000001951E750000-0x000001951E770000-memory.dmp

Filesize
128KB

Download
memory/1816-27-0x000001951E770000-0x000001951E790000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads