xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/2944-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2944-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
484	Process not Found
2592	iojmibhyhiws.exe

Loads dropped DLL 1 IoCs

pid	Process
484	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2452	2592	iojmibhyhiws.exe	40
PID 2592 set thread context of 2944	2592	iojmibhyhiws.exe	41

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2012	sc.exe
2536	sc.exe
2628	sc.exe
2632	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	tmp.exe
2184	tmp.exe
2184	tmp.exe
2184	tmp.exe
2184	tmp.exe
2592	iojmibhyhiws.exe
2592	iojmibhyhiws.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe
2944	conhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2944	conhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2860	2656	cmd.exe	38
PID 2656 wrote to memory of 2860	2656	cmd.exe	38
PID 2656 wrote to memory of 2860	2656	cmd.exe	38
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2452	2592	iojmibhyhiws.exe	40
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41
PID 2592 wrote to memory of 2944	2592	iojmibhyhiws.exe	41

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2184
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2536
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2632

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2452
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
3.7MB

MD5
929142bbcf5849a809a90ce9a912bacd

SHA1
56f25fba8a1d63eff05005a1bb3541d1115c620a

SHA256
82341a75279921ae3cc03a83e8b5abc1b95f494becd47e784e0f7c421701b1fd

SHA512
092fd983205dcb109ff22a524600dbc28fca31457b8e4b2275b8f28188cf5902c3fbfd5eb28b7b92e2e02ae1a03d183d466d8b529733ece12f39e486a3bc8b9d

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
4.9MB

MD5
54e805f9db8eac6b777b71b93d87a7ea

SHA1
f0b4bf01a17c913b21c09252d0ae8e740c3f4701

SHA256
bf3ae2c3bec2ecfe5d74ce3582ba36340e4dcce655daba4ed3cb34155ee5f575

SHA512
d145c8b6fd550b12c5a7e75dd5f79372a502d25cbb959cb624e5342bfa092626939987c27e5a6e6014cb1497e29e89f8577e4500361141a154e25711a8a635c7

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
4.4MB

MD5
0f14fb09a67bd6ee497b0842d0912a29

SHA1
a66a9597422283a60ee8448e25334676ecd97698

SHA256
76de2da734b6c6d22558abc05bd69ddc886ea43dc5815ceac2694b7832d3e313

SHA512
0114b391dbbbb5466149341eafa20a46e765217a53e15a3faa7aab9e678cdf4da1029379b437aed55d234fc90ac68c34040e1479b1d3b9d3c35f9e52305a0ff1

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
3.9MB

MD5
39b5bb93d3995a7277dda88347c6d0e6

SHA1
2ff568e0956627885c3f3c6cc1d6a3edcfe18492

SHA256
41131cff4392d813878f85cf1ea68c66ea0d84a59a3ce4e206393a15e0be9d31

SHA512
0b2a2a09f7713d691fc7ed018f144f5f3d0a8eb3c81f4c38c9edaed59ca7fb113c1af9086899372632a9c208185ec0b7bd51609f730cbaa4c88129984520c81c

Download Submit
memory/2184-0-0x000000013FA30000-0x000000014046D000-memory.dmp

Filesize
10.2MB

Download
memory/2184-2-0x000000013FA30000-0x000000014046D000-memory.dmp

Filesize
10.2MB

Download
memory/2452-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2452-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2452-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2452-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2452-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2452-13-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2592-6-0x000000013F550000-0x000000013FF8D000-memory.dmp

Filesize
10.2MB

Download
memory/2592-26-0x000000013F550000-0x000000013FF8D000-memory.dmp

Filesize
10.2MB

Download
memory/2944-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-28-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2944-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2944-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download